If you can't beat hackers, leave them empty handed: Plain Dealing

Visa, MasterCard and AmEx say creating an international payment token standard could better protect consumers from fraud when they use credit cards and mobile devices to make purchases - and give merchants an easier way to thwart hackers.Associated Press

Early this year, federal authorities broke up one of the biggest credit card fraud rings in U.S. history. Even so, by mid-year, there were more cardholder data breaches than in all of 2012.

Consumers are the ones caught in the crossfire. We have to hand over data to buy things, but we have little control over what happens to it once it leaves our hands.

Roughly 90 percent of all financial data breaches worldwide target the United States or U.S. companies. And while international crime rings have grown sophisticated enough to invest profits into developing better theft software, an awful lot of breaches still boil down to what one security pro called “ground balls” — lax computer security, too many people willing to click on malware-laden email and way too many weak passwords.

Security professionals from across the country gathered at the Visa Global Security Summit in Washington, D.C., at the beginning of the month to wrestle with strategies for fighting cybercrime. They talked a lot about how security had to be multi-layered and keep evolving to thwart thieves.

But the conversation kept circling back to the idea of stripping financial information from stored data, so that, even if thieves steal it, the data would be useless to them and harmless for us.

It's called tokenization, and it's a little like turning diamonds back into coal dust.

Jennifer Fischer, who heads the Americas Payment Systems Security unit at Visa, explained it this way: You make a purchase with your credit card. Your account data travels to a processor, which sends the store an electronic token unique to the transaction. The token contains no account or other meaningful data. It's just a marker of sorts. Let's say you want to return the item later. The merchant uses the stored token to identify the transaction and reverse the charge.

Tokens are an evolving technology. Paypal uses some Bluetooth-based tokens, and a number of developers are working on tokenization technology that would create icons unique to customers or, more likely, to individual transactions.

But tokens could work with both mobile devices and the smart-chip credit cards (used throughout Europe) that could eventually make their way here.

Meanwhile, the card payment industry is working to identify and corral the damage caused by breaches. Visa says it's tweaking software to more quickly sift through the histories of compromised cards to identify common factors -- for example, a bunch of compromised cards were all used at a particular restaurant -- that could indicate a data leak.

And soon, consumers might get quicker notice of card fraud, because banks are talking about real-time transaction alerts for customers.

Although some card issuers hesitate to talk about fraud with consumers for fear of spooking them, Jim Van Dyke, the CEO of Javelin Research, says his research shows the opposite is true.

“The more companies talk about security … the more consumers actually like it,” he said. Not only do they trust companies that talk about security more, Van Dyke said, consumers become more vigilant themselves.

Throughout the conference, speakers stressed the need for companies to integrate security into apps and other technology starting at the design phase. “We cannot afford to retrofit security,” Ellen Richey, Visa's chief enterprise risk officer, told the crowd.

Anticipating how thieves think can be a bit of a dark art, though.

A Brazilian banker talked about biometric technology that allows customers to withdraw funds card-free by touching a hand to a screen for verification. The bank designed it so the touchscreen recognizes not just the hand print but detects veins, so that thieves aren’t tempted to sever someone’s hand to get access to an account.

Follow Us

cleveland.com is powered by Plain Dealer Publishing Co. and Northeast Ohio Media Group. All rights reserved (About Us).The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Northeast Ohio Media Group LLC.